devise-jwt 0.5.4 → 0.5.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/README.md +40 -4
- data/devise-jwt.gemspec +1 -1
- data/lib/devise/jwt/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 57b63a9ada186b91ddf11b892501aabae2f4492d
|
4
|
+
data.tar.gz: fa3f300ec74e2486c89a8c1a43ddd5e2cf7de9dd
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a3266cc44d2018dba06637e32ddc38c7d03a10d51db4c2417e3c4fd7efa4972bbc62e85176fab2b69aadebf5be34ade00685d32f08e609c0782fa16b288db74d
|
7
|
+
data.tar.gz: 6b633a9f667ee171e4b7c874ccbd321959b91c3581cc92c63a2d599ac9aa67db4eaff2088d5b3c0d725b3498fa6fc480917af85509785dae1d4f4ef1419baa42
|
data/CHANGELOG.md
CHANGED
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
|
|
4
4
|
The format is based on [Keep a Changelog](http://keepachangelog.com/)
|
5
5
|
and this project adheres to [Semantic Versioning](http://semver.org/).
|
6
6
|
|
7
|
+
## [0.5.5] - 2018-01-30
|
8
|
+
### Fixed
|
9
|
+
- Update `warden-jwt_auth` dependency to reenable JWT scopes being stored to
|
10
|
+
the session and inform the user.
|
11
|
+
|
7
12
|
## [0.5.4] - 2018-01-09
|
8
13
|
### Fixed
|
9
14
|
- Update `warden-jwt_auth` dependency to allow a JWT scope to be fetched from
|
data/README.md
CHANGED
@@ -26,7 +26,7 @@ You can read about which security concerns this library takes into account and a
|
|
26
26
|
Add this line to your application's Gemfile:
|
27
27
|
|
28
28
|
```ruby
|
29
|
-
gem 'devise-jwt', '~> 0.5.
|
29
|
+
gem 'devise-jwt', '~> 0.5.5'
|
30
30
|
```
|
31
31
|
|
32
32
|
And then execute:
|
@@ -111,6 +111,42 @@ config.middleware.insert_before 0, Rack::Cors do
|
|
111
111
|
end
|
112
112
|
```
|
113
113
|
|
114
|
+
#### Session storage caveat
|
115
|
+
|
116
|
+
If you are working with a Rails application that has session storage enabled
|
117
|
+
and a default devise setup, chances are that same origin requests will be
|
118
|
+
authenticated from the session regardless of a token being present in the
|
119
|
+
headers or not.
|
120
|
+
|
121
|
+
This is so because of the following default devise workflow:
|
122
|
+
|
123
|
+
- When a user signs in with `:database_authenticatable` strategy, the user is
|
124
|
+
stored in the session unless one of the following conditions is met:
|
125
|
+
- Session is disabled.
|
126
|
+
- Devise `config.skip_session_storage` includes `:params_auth`.
|
127
|
+
- [Rails Request forgery
|
128
|
+
protection](http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html)
|
129
|
+
handles an unverified request (but this is usually deactivated for API
|
130
|
+
requests).
|
131
|
+
- Warden (the engine below devise), authenticates any request that has the user
|
132
|
+
in the session without even reaching to any strategy (`:jwt_authenticatable`
|
133
|
+
in our case).
|
134
|
+
|
135
|
+
So, if you want to avoid this caveat you have two options:
|
136
|
+
|
137
|
+
- Disable the session. If you are developing an API, probably you don't need
|
138
|
+
it. In order to disable it, change `config/initializers/session_store.rb` to:
|
139
|
+
```ruby
|
140
|
+
Rails.application.config.session_store :disabled
|
141
|
+
```
|
142
|
+
Notice that if you created the application with the `--api` flag you already
|
143
|
+
have the session disabled.
|
144
|
+
- If you still need the session for any other purpose, disable
|
145
|
+
`:database_authenticatable` user storage. In `config/initializers/devise.rb`:
|
146
|
+
```ruby
|
147
|
+
config.skip_session_storage = [:http_auth, :params_auth]
|
148
|
+
```
|
149
|
+
|
114
150
|
### Revocation strategies
|
115
151
|
|
116
152
|
`devise-jwt` comes with three revocation strategies out of the box. Some of them are implementations of what is discussed in the blog post [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/), where I also talk about their pros and cons.
|
@@ -311,9 +347,9 @@ end
|
|
311
347
|
|
312
348
|
### Testing
|
313
349
|
|
314
|
-
Models configured with `:jwt_authenticatable`
|
315
|
-
session. For this reason, `sign_in` devise testing helper methods won't
|
316
|
-
expected.
|
350
|
+
Models configured with `:jwt_authenticatable` usually won't be retrieved from
|
351
|
+
the session. For this reason, `sign_in` devise testing helper methods won't
|
352
|
+
work as expected.
|
317
353
|
|
318
354
|
What you need to do in order to authenticate test environment requests is the
|
319
355
|
same that you will do in production: to provide a valid token in the
|
data/devise-jwt.gemspec
CHANGED
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
|
|
22
22
|
spec.require_paths = ["lib"]
|
23
23
|
|
24
24
|
spec.add_dependency 'devise', '~> 4.0'
|
25
|
-
spec.add_dependency 'warden-jwt_auth', '~> 0.3.
|
25
|
+
spec.add_dependency 'warden-jwt_auth', '~> 0.3.5'
|
26
26
|
|
27
27
|
spec.add_development_dependency "bundler", "~> 1.12"
|
28
28
|
spec.add_development_dependency "rake", "~> 10.0"
|
data/lib/devise/jwt/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: devise-jwt
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Marc Busqué
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-01-
|
11
|
+
date: 2018-01-30 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: devise
|
@@ -30,14 +30,14 @@ dependencies:
|
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 0.3.
|
33
|
+
version: 0.3.5
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 0.3.
|
40
|
+
version: 0.3.5
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: bundler
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|